Description
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process. | |
| Title | n8n - AST Validator Bypass in Python Code Node | |
| First Time appeared |
N8n
N8n n8n |
|
| Weaknesses | CWE-184 | |
| CPEs | cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* | |
| Vendors & Products |
N8n
N8n n8n |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T22:08:41.624Z
Reserved: 2026-06-23T01:22:22.572Z
Link: CVE-2026-56777
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-184
Incomplete List of Disallowed Inputs